[2806] in WWW Security List Archive
SSL and certificates
daemon@ATHENA.MIT.EDU (trevor_sterritt@mail.amsinc.com)
Mon Aug 26 19:03:54 1996
From: trevor_sterritt@mail.amsinc.com
Date: Mon, 26 Aug 96 15:29:00 EST
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I have done some research into the whole area of public key encryption,
SSL, SHTTP, and have a question for any experts that might be out there:
Basically - The way I understand it, RSA's public key encryption system
requires both parties to have a digital certificate. The public/private
key pair are used to for authentication, and for the secure transfer of a
negotiated session (secret) key, determined using DES. The session key is
actually used for encryption.
A lot of companies are now boasting products that use RSA's encryption
technology. To use these products, you don't necessarily need a digital
certificate. How can these products be considered secure if one party
does not have a digital certificate?
These are the implications as I see them (let me know if I am way off
base here..)
1. The session key is not transferred securely when one party does not
have a digital certificate. A bad guy could swipe the session key and
"decrypt" data being transferred between the legitimate parties.
2. Both parties can not be authenticated.
3. Uninformed users are being lulled into a false sense of security.
